Thousands of confidential medical records were loaded on a USB flash drive, which subsequently was stolen during a car break-in.  Sound familiar?  An increase in data breach notification laws throughout the US has brought to light hundreds of incidents that would have been glossed over in the past.  In this case, the protected health information is covered under new regulations in HIPAA and the HiTECH Act of 2009.

According to the MetroWest Daily News, it’s unclear whether the incident will result in direct monetary damages but it certainly hasn’t been a public relations success:

Smith declined to say whether the loss of the records would be considered a violation of the Health Insurance Portability and Accountability Act - known as HIPAA - or whether the company could face penalties.

Under the Health Information Technology for Economic and Clinical Health Act of 2009, companies that experience a breach of health information covered by HIPAA for more than 500 patients are required to inform the patients and the media.

Data Security, Healthcare

According to TechEye, another NHS Trust has exposed confidential patient information by storing it on an unencrypted USB drive, which promptly disappeared.  This is a continuing issue for NHS.

The Surrey and Sussex Healthcare NHS Trust patient records were lost in September 2010. Shockingly, the details were on an unencrypted memory stick and worse, the 800 affected patients were never told. Leaked details include full name, date of birth and operation details.

Kanguru strongly recommends that all healthcare organizations protect patient data by using mandatory hardware encryption on all portable devices.  The Kanguru Defender Elite secure flash drive is completing Common Criteria certification and is now available in the UK and throughout Europe.  It’s an ideal solution for healthcare data protection.

Data Security, Healthcare

Later this year the Department of Health and Human Services (HHS) will begin auditing health providers to ensure they are in compliance with the Health Insurance Portability and Accountability Act (HIPAA).

Despite both HIPAA and the HiTECH Act, healthcare data breaches have been popping up regularly in the news.  A recent study found that over 70% of hospitals had patient data breaches last year. Read more…

Data Security, Healthcare

A new study from the Digital Forensics Association, called The Leaking Vault 2011, covers 3,765 publicly disclosed data breach incidents over the past six years.  The estimated cost of these data breaches totaled more than $156 Billion.  “Hacking” exposed the largest number of records, while “Drive/Media” exposures were the second leading cause.

The study also shows the breakdown of incidents among business, education, government and medical sectors.  It clearly shows that data breaches can happen to a wide variety of institutions, not just those that handle “classified” information.  State data breach laws and industry regulations like HIPAA have increased the spotlight on data security outside of traditional national security organizations.  In fact, medical data breaches were the fastest growing segment from 2005-2010.

Read the full report for conclusions and recommendations.

Data Security, Financial, Government, Healthcare, Malware, Portable Storage

Electronic medical records are the future, and the government is encouraging their adoption through the HITECH act.  InfoSecurity.com has analysis of the first phase of HITECH:

Phase I implementation (2011–2014) provides a graduated series of financial incentives to physicians and hospitals. At the same time, certain information security measures must be implemented along with the expanded use of electronic health records and information exchanges.

For healthcare facilities, these security measures include implementation of access control; data integrity; emergency management; encryption of data at rest, in motion, and removable media; identity proofing; log analysis and management; and system timeout.

Healthcare organizations are advised to use an encryption algorithm that meets FIPS 197 standards or better.  It’s important to ask your vendor about their encryption certifications, as not all password-protected devices are truly secure.

Data Security, Healthcare

Kanguru is pleased to announce that we have been chosen to provide a major healthcare provider in Maryland with secure flash drives and remote management software.  Our encrypted flash drives will help keep their patient data safe and secure, and also help them meet HIPAA regulations relating to data security and privacy. 

This is the latest of several secure flash standardizations Kanguru has recently been involved with across the government, healthcare, and financial industries.  Healthcare providers have been under increasing scrutiny lately as the Dept of Health & Human Services has stepped up enforcement of HIPAA privacy rules.  Kanguru’s remote management platform provides security against data breaches as well as audit logs for proof of compliance.

Data Security, Healthcare, Portable Storage

Here at Kanguru we frequently talk about encrypting and securing your mobile data, but sometimes don’t stress enough the importance of tracking and monitoring data usage.  As important as it is to secure your data, it is equally important to know where it is going. 

When an employee leaves the office for the day, taking his work with him on a flash drive, where is that data going?  A quick stop by the local coffee shop and opened up on one of their unsecure wireless networks?  To an unsecure home computer? 

These possibilities along with the risks associated with them are why Kanguru emphasizes a total security solution.  This can be especially advantageous to organizations that are required to meet security regulations like HIPAA, the Hitech Act or any one of the many state-level data breach laws. 

Tracking and monitoring can be done via Kanguru’s Remote Management Console and USB Device Control, a tandem of products designed specifically to allow organizations to keep tabs on and secure their portable data. 

It’s time to look beyond encryption and recognize the importance of end point security as a key element to the overall big picture of securing your data.  Some options to look for in endpoint security and remote management:

1.) Device Control - Control what, when and how USB devices are allowed to access your computers

2.) IP and Domain Control - Manage which IP addresses and/or domains are allowable for devices to access via whitelist and blacklist methodology.

3.) Auditing and Reporting - Get a full audit trail with detailed graphical reporting and the ability to export both customizable audit logs and graphs for external analysis to ensure proper compliance.

4.) Remote Provisioning - Remotely manage security policy changes from a single location. Control password complexity, password expiration, software updates, patches, A/V definitions, online and offline access, and more.

Data Security

The Dept of Health and Human Services is stepping up enforcement of HIPAA privacy laws by handing out new fines against two violators.

From Government Computer News:

HIPAA requires health plans, health care clearinghouses and most health care providers to protect the privacy of patient information through administrative, physical and technical safeguards.

After an investigation by OCR, the agency found Mass General in violation when an employee left documents relating to 192 patients on a subway train. The documents, which were never recovered, included information on patient names, dates of birth, medical record numbers, health insurers and policy numbers, diagnoses and name of providers for 66 of those patients. HHS discovered the loss after a patient reported the records lost on March 9, 2009.

Mass General was fined $1 Million for this violation.  Imagine how many USB flash drives and other portable devices get lost in subway trains, taxis and other public places every year.  With HHS handing down stiff penalties, it’s time to consider security plans for these devices.

Data Security, Healthcare, Portable Storage

The loss of an unencrypted portable hard drive containing private health information has proven extremely costly and time consuming for Health Net, Inc., and Health Net of the Northeast, Inc. 

The health insurance company is now being fined $55,000 by the State of Vermont and must also submit to a data-security audit and file reports with the State regarding the company’s information security programs for the next two years.

“The lawsuit is Vermont’s first enforcement action under the Security Breach Notice Act and the second HIPAA enforcement action of its kind since state attorneys general were given HIPAA enforcement authority in 2009.”

Read more at Infosec Island.

Data Security, Healthcare

Which is more costly to a business?  Spending the money to become compliant with federally mandated security regulations or remaining noncompliant? 

A recent study by the Ponemon Institute compared the cost of complying with state and federal security regulations vs. the cost of potential business disruption, productivity loss, revenue loss, and fines.   Read more about it here.

Data Security